-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Jenkins enterprise 1.509.5.1
Incorrect caching headers
Description:
The Cache-Control header is used to determine if the requested page content should be cached or not. This caching can be done by a server, browser and proxies. The Cache-Control header is necessary to set when the response of the server contains sensitive information.
Issue example:
The Jenkins web-application uses incorrect cache-control headers. Below is an server response as an example. This is a structural issue.
HTTP/1.1 200 OK
Date: Tue, 25 Mar 2014 09:40:06 GMT
Server: Winstone Servlet Engine v0.9.10
Expires: 0
Cache-Control: no-cache,must-revalidate
X-Hudson-Theme: default
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
X-Hudson: 1.395
X-Jenkins: 1.509.5.1 (Jenkins Enterprise by CloudBees 13.05)
X-Jenkins-Session: 8456547e
X-Hudson-CLI-Port: 46210
X-Jenkins-CLI-Port: 46210
X-Jenkins-CLI2-Port: 46210
X-SSH-Endpoint: 10.75.35.116:59696
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAufrFdr90ezSs51p3k56pEZ/57ErRzzF3jtp+FLU/f7M+84J6S35Y2NWo379t/sCTHCk/X/mUxy9ytx+lERSB1Vx4juXay/O+IaP2JrVD0NPQSrGmQo6ww/UzKkpZoAwRZFmHavm+dY0CtIuQkVD8M9BhaLLhtXzZipkEIM43Zj9gj04gP3kpsciu9U2jQ06sXWIJHdv9i51aa3iiW+kaFhmJea2KDI9h5trwOn8CqsTqAPfViubt4SrEhSrgklUnymJOAW8Auwy7he1B92nqf1k49Oi5XQ8amMFt8K3HCwxvQLE5rnp4gf4p+FaNYikqx5l10bPDAchMC9EnqdrxlwIDAQAB
Content-Length: 25927
X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
Set-Cookie: JSESSIONID.414ae189=f714820873e51a11e4110cc582dab384; Path=/; HttpOnly
X-XSS-PROTECTION: 1; mode=block
Connection: close
Advice:
Implement the correct cache-control header, no-store no-cache for all the pages that contains sensitive information.
[JENKINS-24337] The Jenkins web-application uses incorrect cache-control headers
Component/s | New: core [ 15593 ] | |
Component/s | Original: core [ 15738 ] | |
Key |
Original:
|
New:
|
Project | Original: Security Issues [ 10180 ] | New: Jenkins [ 10172 ] |
Affects Version/s | Original: unspecified [ 10170 ] | |
Workflow | Original: Security v1.2 [ 154480 ] | New: JNJira [ 157257 ] |
Status | Original: Untriaged [ 10001 ] | New: Open [ 1 ] |
Resolution | New: Fixed [ 1 ] | |
Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Workflow | Original: JNJira [ 157257 ] | New: JNJira + In-Review [ 194920 ] |
Moving to the JENKINS project as I don't think this is a security vulnerability per se. After reading this post I still feel far from clear, but it does seem like the consensus is to also use no-store, so I'm going to make this change.